Bug 1577222 - krb5-libs shipped in rhel 7.5 breaks heimdal-kdc
Summary: krb5-libs shipped in rhel 7.5 breaks heimdal-kdc
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: heimdal
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Ken Dreyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-11 13:47 UTC by Klarna IOCS
Modified: 2019-12-04 02:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Klarna IOCS 2018-05-11 13:47:52 UTC
Description of problem:
krb5-libs-1.15.1-19 (bugzilla #1431198) breaks the heimdal kdc. heimdal-kdc will read and accept the includedir statement, it will however ignore anything below and leave kdc unconfigured, this is partly a problem related to how heimdal parse it's configurations, however krb5-libs shouldn't introduce breakage


Bug 1431198 - automatically add 'includedir /etc/krb5.conf.d/' to krb5.conf on update 

Version-Release number of selected component (if applicable):
krb5-libs-1.15.1-19

How reproducible:
Every time

Steps to Reproduce:
1. Add includedir /etc/krb5.conf.d/ to the top of a working /etc/krb5.conf
2. restart heimdal-kdc
3. tail the heimdal kdc log and notice messages like "Ticket-granting ticket not found in database: opening /var/heimdal/heimdal: No such file or directory" indicating {mis,un}configured kdc

Actual results:
krb5-libs config changes breaks heimdal

Expected results:
krb5-libs shouldn't stealthily change configuration files and break working setups or if it's really necessary, add the includedir statement where it works for all software using krb5.conf, for heimdal it seems to work when includedir is in the very end of the file.

Additional info:

Comment 2 Robbie Harwood 2018-05-11 15:08:44 UTC
I'm really sorry to hear that, but it's kind of too late to revert this in krb5.  We added this as part of RHEL-7.3; prior to that, it was in Fedora since 2015.

(We also do have a need for it - services using an include directory include crypto-policies, sssd, freeipa, and fedora_packager.)

Moreover, sssd has been configuring an include directory for even longer - possibly since the beginning of the project, though it definitely predates me either way.

Additionally, Heimdal is not a shipped or supported part of RHEL (which is in part why I keep bringing up Fedora).  I hope it wouldn't break by picking up the (required) krb5 libraries on the system, but that's best effort since Heimdal upstream was dormant for so long.

In the short term, I'm reassigning this bug to Heimdal in the hopes it can be resolved there.  Heimdal folks, if there's any assistance I can provide, please let me know.

For RHEL configurations, as expected I recommend using krb5 for KDC (optionally with freeipa) rather than Heimdal.  If you would like assistance in migration, we can assist in that.  If you would like to keep this configuration, in the short term you're going to have to remove this line.

Comment 3 Robbie Harwood 2018-05-11 15:16:05 UTC
Additional information: Heimdal docs suggest that this should work, as per their example config file: https://github.com/heimdal/heimdal/blob/master/doc/setup.texi#L55-L74

Comment 4 Klarna IOCS 2018-05-14 08:40:24 UTC
No problem!
I've quick-fixed the issue temporarily with 
# chattr +i /etc/krb5.conf
since I didn't want to poke around in the configs too much. Another solution that's a bit less drastic is to just add the include line in the bottom of /etc/krb5.conf as it doesn't seem to break Heimdal, not suggesting that the krb5-libs should do that, just a pointer if somebody else runs into this. Also not sure what happens with other applications or if heimdal updates values as expected when the line is at the bottom of the file.

cheers

Comment 5 Klarna IOCS 2018-05-14 12:22:24 UTC
(In reply to Robbie Harwood from comment #3)
> Additional information: Heimdal docs suggest that this should work, as per
> their example config file:
> https://github.com/heimdal/heimdal/blob/master/doc/setup.texi#L55-L74

It works, when the includedir statement is after whatever settings you have in /etc/krb5.conf :)

Comment 6 Ken Dreyer 2018-05-18 23:18:40 UTC
I read bz 1431198 and some things are not clear to me.

Users expect to do the /etc/krb5.conf.rpmnew -> /etc/krb5.conf transition like  other RHEL packages.

I agree with your quote in that bug Robbie "freeipa either needs to pay more attention to the system krb5.conf" . If FreeIPA needed the missing includedir, it could add it itself, rather than having krb5-libs do this.

I get that the ship has sailed on this particular includedir change in RHEL 7.5, however, if the FreeIPA team wants krb5-libs to do more in-place krb5.conf changes on a file marked %config(noreplace), please point them at this bug. 
At any rate, I get that this is a sticky issue, and thank you Robbie for looking into the Heimdal docs there!

I agree with Robbie that if you're running a Kerberos environment based on Heimdal, please do give FreeIPA a try. I packaged Heimdal for Fedora and EPEL because my previous employer ran Heimdal on a Solaris environment where we then moved to Linux. I still try to keep Heimdal building on EL7 and Fedora, because I think it's worth it to have the bits available for users who were in my same situation, but I hope it's clear that the FreeIPA experience will always be more integrated on Red Hat-based platforms.

Klarna, what is the specific issue with "includedir" ordering you're seeing?

Comment 7 Klarna IOCS 2018-05-23 12:54:41 UTC
> Klarna, what is the specific issue with "includedir" ordering you're seeing?
The issue seems to be that nothing below the includedir statement in krb5.conf is evaluated. For example, if I have my entire krb5 configuration in /etc/krb5.conf without any parts split out into the defined includedir I will end up with an, seemingly, unconfigured heimdal-kdc.

I didn't put much effort into troubleshooting this issue more than looking through the kdc logs and wondering why paths and such where off. (Re)moving the includedir line.

Preferably I would've decommissioned this service, but it seems like neither that or any kind of migration is going to happen. I mostly opened this issue to help if any other poor soul was stuck with heimdal and wondered why their kdc stopped working

Cheers


Note You need to log in before you can comment on or make changes to this bug.